Cloud-based security service that includes external evaluation for accessing a third-party application
Abstract
A cloud-based security service that includes external evaluation for accessing a third-party application. The security service receives a request to access a third-party application from a client device. The security service enforces a set of one or more access policies configured for the third-party application including an external evaluation rule. As part of enforcing the external evaluation rule, the security service transmits an external evaluation request to an external endpoint defined in the external evaluation rule. The external evaluation request includes an identity of a user associated with the request. The security service receives the result of the external evaluation. If the external evaluation passed, the security service grants access to the third-party application based at least in part on its passing.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A method in a server providing a cloud-based security service, comprising:
receiving, from a client device at the cloud-based security service, a request to access a third-party application;
determining an identity of a user associated with the request;
determining, at the cloud-based security service, a set of one or more access policies that are configured for accessing the third-party application, wherein the set of one or more access policies includes:
an identity-based access rule that specifies criteria the identity of the user associated with the request must meet to satisfy the identity-based access rule, and
an external evaluation rule;
enforcing the identity-based access rule including determining that the identity of the user associated with the request meets the specified criteria;
enforcing the external evaluation rule including transmitting an external evaluation request to an external endpoint defined in the external evaluation rule, wherein the external endpoint is external to the cloud-based security service and is controlled or managed by an owner or operator of the third-party application, and wherein the external evaluation request includes an identity of a user associated with the request;
receiving, from the external endpoint defined in the external evaluation rule, an external evaluation response that is responsive to the external evaluation request, the external evaluation response specifying that an external evaluation has passed; and
granting access to the third-party application based at least in part on receiving the external evaluation response specifying that the external evaluation has passed.
2. The method of claim 1 , wherein granting access to the third-party application includes transmitting the request to the third-party application.
3. The method of claim 1 , further comprising:
wherein granting access to the third-party application includes setting an authorization cookie or token and redirecting the client device to transmit the request again with the authorization cookie or token; and
transmitting the request to the third-party application.
4. The method of claim 1 , wherein determining the identity of the user associated with the request includes:
causing the client device to transmit an authentication request to an identity provider; and
receiving, from the client device, an authentication response that was generated by the identity provider that identifies the user and signifies the user has successfully authenticated to the identity provider.
5. The method of claim 1 , further comprising:
wherein the set of one or more access policies further includes a device posture rule that specifies criteria related to device posture in which the client device must meet for satisfying the device posture rule; and
enforcing the device posture rule including:
transmitting a request for device posture status of the client device to an endpoint protection provider,
receiving a response to the request for device posture status of the client device from the endpoint protection provider, and
determining that the device posture status of the client device meets the specified criteria in the device posture rule.
6. The method of claim 1 , wherein the cloud-based security service acts as a service provider on behalf of the third-party application.
7. A non-transitory machine-readable storage medium that provides instructions that, if executed by a processor of a server providing a cloud-based security service, will cause said processor to perform operations comprising:
receiving, from a client device at the cloud-based security service, a request to access a third-party application;
determining an identity of a user associated with the request;
determining, at the cloud-based security service, a set of one or more access policies that are configured for accessing the third-party application, wherein the set of one or more access policies includes:
an identity-based access rule that specifies criteria the identity of the user associated with the request must meet to satisfy the identity-based access rule, and
an external evaluation rule;
enforcing the identity-based access rule including determining that the identity of the user associated with the request meets the specified criteria;
enforcing the external evaluation rule including transmitting an external evaluation request to an external endpoint defined in the external evaluation rule, wherein the external endpoint is external to the cloud-based security service and is controlled or managed by an owner or operator of the third-party application, and wherein the external evaluation request includes an identity of a user associated with the request;
receiving, from the external endpoint defined in the external evaluation rule, an external evaluation response that is responsive to the external evaluation request, the external evaluation response specifying that an external evaluation has passed; and
granting access to the third-party application based at least in part on receiving the external evaluation response specifying that the external evaluation has passed.
8. The non-transitory machine-readable storage medium of claim 7 , wherein granting access to the third-party application includes transmitting the request to the third-party application.
9. The non-transitory machine-readable storage medium of claim 7 , wherein the operations further comprise:
wherein granting access to the third-party application includes setting an authorization cookie or token and redirecting the client device to transmit the request again with the authorization cookie or token; and
transmitting the request to the third-party application.
10. The non-transitory machine-readable storage medium of claim 7 , wherein determining the identity of the user associated with the request includes:
causing the client device to transmit an authentication request to an identity provider; and
receiving, from the client device, an authentication response that was generated by the identity provider that identifies the user and signifies the user has successfully authenticated to the identity provider.
11. The non-transitory machine-readable storage medium of claim 7 , wherein the operations further comprise:
wherein the set of one or more access policies further includes a device posture rule that specifies criteria related to device posture in which the client device must meet for satisfying the device posture rule; and
enforcing the device posture rule including:
transmitting a request for device posture status of the client device to an endpoint protection provider,
receiving a response to the request for device posture status of the client device from the endpoint protection provider, and
determining that the device posture status of the client device meets the specified criteria in the device posture rule.
12. The non-transitory machine-readable storage medium of claim 7 , wherein the cloud-based security service acts as a service provider on behalf of the third-party application.
13. A server providing a cloud-based security service, the server comprising:
a processor; and
a non-transitory machine-readable storage medium that provides instructions that, if executed by the processor, will cause the server to perform operations including:
receiving, from a client device at the cloud-based security service, a request to access a third-party application;
determining an identity of a user associated with the request;
determining, at the cloud-based security service, a set of one or more access policies that are configured for accessing the third-party application, wherein the set of one or more access policies includes:
an identity-based access rule that specifies criteria the identity of the user associated with the request must meet to satisfy the identity-based access rule, and
an external evaluation rule;
enforcing the identity-based access rule including determining that the identity of the user associated with the request meets the specified criteria;
enforcing the external evaluation rule including transmitting an external evaluation request to an external endpoint defined in the external evaluation rule, wherein the external endpoint is external to the cloud-based security service and is controlled or managed by an owner or operator of the third-party application, and wherein the external evaluation request includes an identity of a user associated with the request;
receiving, from the external endpoint defined in the external evaluation rule, an external evaluation response that is responsive to the external evaluation request, the external evaluation response specifying that an external evaluation has passed; and
granting access to the third-party application based at least in part on receiving the external evaluation response specifying that the external evaluation has passed.
14. The server of claim 13 , wherein granting access to the third-party application includes transmitting the request to the third-party application.
15. The server of claim 13 , wherein the operations further comprise:
wherein granting access to the third-party application includes setting an authorization cookie or token and redirecting the client device to transmit the request again with the authorization cookie or token; and
transmitting the request to the third-party application.
16. The server of claim 13 , wherein determining the identity of the user associated with the request includes:
causing the client device to transmit an authentication request to an identity provider; and
receiving, from the client device, an authentication response that was generated by the identity provider that identifies the user and signifies the user has successfully authenticated to the identity provider.
17. The server of claim 15 , wherein the operations further comprise:
wherein the set of one or more access policies further includes a device posture rule that specifies criteria related to device posture in which the client device must meet for satisfying the device posture rule; and
enforcing the device posture rule including:
transmitting a request for device posture status of the client device to an endpoint protection provider,
receiving a response to the request for device posture status of the client device from the endpoint protection provider, and
determining that the device posture status of the client device meets the specified criteria in the device posture rule.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.